CVE-2024-41131 - OpenCVE

ImageSharp is a 2D graphics API. An Out-of-bounds Write vulnerability has been found in the ImageSharp gif decoder, allowing attackers to cause a crash using a specially crafted gif. This can potentially lead to denial of service. All users are advised to upgrade to v3.1.5 or v2.1.9.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sixlabors	Imagesharp

Configuration 1 [-]

OR	cpe:2.3:a:sixlabors:imagesharp::::::::
	cpe:2.3:a:sixlabors:imagesharp::::::::

No data.

References

Link	Providers
https://github.com/SixLabors/ImageSharp/commit/9dda64a8186af67baf06b6d9c1ab599c3608b693
https://github.com/SixLabors/ImageSharp/commit/a1f287977139109a987065643b8172c748abdadb
https://github.com/SixLabors/ImageSharp/pull/2754
https://github.com/SixLabors/ImageSharp/pull/2756
https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-63p8-c4ww-9cg7

History

Wed, 11 Sep 2024 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sixlabors Sixlabors imagesharp
CPEs		cpe:2.3:a:sixlabors:imagesharp::::::::
Vendors & Products		Sixlabors Sixlabors imagesharp

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-22T14:24:42.461Z

Updated: 2024-08-02T04:46:52.374Z

Reserved: 2024-07-15T15:53:28.324Z

Link: CVE-2024-41131

Vulnrichment

Updated: 2024-08-02T04:46:52.374Z

NVD

Status : Analyzed

Published: 2024-07-22T15:15:03.933

Modified: 2024-09-11T14:40:29.460

Link: CVE-2024-41131

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-41131", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-15T15:53:28.324Z", "datePublished": "2024-07-22T14:24:42.461Z", "dateUpdated": "2024-08-02T04:46:52.374Z"}, "containers": {"cna": {"title": "Out-of-bounds Write in SixLabors ImageSharp", "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-63p8-c4ww-9cg7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-63p8-c4ww-9cg7"}, {"name": "https://github.com/SixLabors/ImageSharp/pull/2754", "tags": ["x_refsource_MISC"], "url": "https://github.com/SixLabors/ImageSharp/pull/2754"}, {"name": "https://github.com/SixLabors/ImageSharp/pull/2756", "tags": ["x_refsource_MISC"], "url": "https://github.com/SixLabors/ImageSharp/pull/2756"}, {"name": "https://github.com/SixLabors/ImageSharp/commit/9dda64a8186af67baf06b6d9c1ab599c3608b693", "tags": ["x_refsource_MISC"], "url": "https://github.com/SixLabors/ImageSharp/commit/9dda64a8186af67baf06b6d9c1ab599c3608b693"}, {"name": "https://github.com/SixLabors/ImageSharp/commit/a1f287977139109a987065643b8172c748abdadb", "tags": ["x_refsource_MISC"], "url": "https://github.com/SixLabors/ImageSharp/commit/a1f287977139109a987065643b8172c748abdadb"}], "affected": [{"vendor": "SixLabors", "product": "ImageSharp", "versions": [{"version": "< 2.1.9", "status": "affected"}, {"version": ">= 3.0.0, < 3.1.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-22T14:24:42.461Z"}, "descriptions": [{"lang": "en", "value": "ImageSharp is a 2D graphics API. An Out-of-bounds Write vulnerability has been found in the ImageSharp gif decoder, allowing attackers to cause a crash using a specially crafted gif. This can potentially lead to denial of service. All users are advised to upgrade to v3.1.5 or v2.1.9."}], "source": {"advisory": "GHSA-63p8-c4ww-9cg7", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "sixlabors", "product": "imagesharp", "cpes": ["cpe:2.3:a:sixlabors:imagesharp:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.1.9", "versionType": "custom"}, {"version": "3.0.0", "status": "affected", "lessThan": "3.1.5", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-22T20:46:35.145007Z", "id": "CVE-2024-41131", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-22T20:46:58.460Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:46:52.374Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-63p8-c4ww-9cg7", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-63p8-c4ww-9cg7"}, {"name": "https://github.com/SixLabors/ImageSharp/pull/2754", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/SixLabors/ImageSharp/pull/2754"}, {"name": "https://github.com/SixLabors/ImageSharp/pull/2756", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/SixLabors/ImageSharp/pull/2756"}, {"name": "https://github.com/SixLabors/ImageSharp/commit/9dda64a8186af67baf06b6d9c1ab599c3608b693", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/SixLabors/ImageSharp/commit/9dda64a8186af67baf06b6d9c1ab599c3608b693"}, {"name": "https://github.com/SixLabors/ImageSharp/commit/a1f287977139109a987065643b8172c748abdadb", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/SixLabors/ImageSharp/commit/a1f287977139109a987065643b8172c748abdadb"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-63p8-c4ww-9cg7", "name": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-63p8-c4ww-9cg7", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/SixLabors/ImageSharp/pull/2754", "name": "https://github.com/SixLabors/ImageSharp/pull/2754", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/SixLabors/ImageSharp/pull/2756", "name": "https://github.com/SixLabors/ImageSharp/pull/2756", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/SixLabors/ImageSharp/commit/9dda64a8186af67baf06b6d9c1ab599c3608b693", "name": "https://github.com/SixLabors/ImageSharp/commit/9dda64a8186af67baf06b6d9c1ab599c3608b693", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/SixLabors/ImageSharp/commit/a1f287977139109a987065643b8172c748abdadb", "name": "https://github.com/SixLabors/ImageSharp/commit/a1f287977139109a987065643b8172c748abdadb", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:46:52.374Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-41131", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-22T20:46:35.145007Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:sixlabors:imagesharp:*:*:*:*:*:*:*:*"], "vendor": "sixlabors", "product": "imagesharp", "versions": [{"status": "affected", "version": "0", "lessThan": "2.1.9", "versionType": "custom"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.1.5", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-22T17:49:01.504Z"}}], "cna": {"title": "Out-of-bounds Write in SixLabors ImageSharp", "source": {"advisory": "GHSA-63p8-c4ww-9cg7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "SixLabors", "product": "ImageSharp", "versions": [{"status": "affected", "version": "< 2.1.9"}, {"status": "affected", "version": ">= 3.0.0, < 3.1.5"}]}], "references": [{"url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-63p8-c4ww-9cg7", "name": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-63p8-c4ww-9cg7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/SixLabors/ImageSharp/pull/2754", "name": "https://github.com/SixLabors/ImageSharp/pull/2754", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/SixLabors/ImageSharp/pull/2756", "name": "https://github.com/SixLabors/ImageSharp/pull/2756", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/SixLabors/ImageSharp/commit/9dda64a8186af67baf06b6d9c1ab599c3608b693", "name": "https://github.com/SixLabors/ImageSharp/commit/9dda64a8186af67baf06b6d9c1ab599c3608b693", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/SixLabors/ImageSharp/commit/a1f287977139109a987065643b8172c748abdadb", "name": "https://github.com/SixLabors/ImageSharp/commit/a1f287977139109a987065643b8172c748abdadb", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ImageSharp is a 2D graphics API. An Out-of-bounds Write vulnerability has been found in the ImageSharp gif decoder, allowing attackers to cause a crash using a specially crafted gif. This can potentially lead to denial of service. All users are advised to upgrade to v3.1.5 or v2.1.9."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-22T14:24:42.461Z"}}}, "cveMetadata": {"cveId": "CVE-2024-41131", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:46:52.374Z", "dateReserved": "2024-07-15T15:53:28.324Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-22T14:24:42.461Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sixlabors:imagesharp:*:*:*:*:*:*:*:*", "matchCriteriaId": "31448E6E-6851-4531-A627-96FFEB568E92", "versionEndExcluding": "2.1.9", "versionStartIncluding": "2.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sixlabors:imagesharp:*:*:*:*:*:*:*:*", "matchCriteriaId": "385975D3-74DE-436B-8D5E-612F3F3757AD", "versionEndExcluding": "3.1.5", "versionStartIncluding": "3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ImageSharp is a 2D graphics API. An Out-of-bounds Write vulnerability has been found in the ImageSharp gif decoder, allowing attackers to cause a crash using a specially crafted gif. This can potentially lead to denial of service. All users are advised to upgrade to v3.1.5 or v2.1.9."}, {"lang": "es", "value": " ImageSharp es una API de gr\u00e1ficos 2D. Se ha encontrado una vulnerabilidad de escritura fuera de los l\u00edmites en el decodificador de gif de ImageSharp, lo que permite a los atacantes provocar un bloqueo utilizando un gif especialmente manipulado. Esto puede conducir potencialmente a la denegaci\u00f3n del servicio. Se recomienda a todos los usuarios que actualicen a v3.1.5 o v2.1.9."}], "id": "CVE-2024-41131", "lastModified": "2024-09-11T14:40:29.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-22T15:15:03.933", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/SixLabors/ImageSharp/commit/9dda64a8186af67baf06b6d9c1ab599c3608b693"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/SixLabors/ImageSharp/commit/a1f287977139109a987065643b8172c748abdadb"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/SixLabors/ImageSharp/pull/2754"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/SixLabors/ImageSharp/pull/2756"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-63p8-c4ww-9cg7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Secondary"}]}